That's because people have to update their nuke. The phpnuke.org search hole should have been fixed by now, because I remember being able to do the IFrame in 7.9 when it was posted on waraxe's site, and they released 8.0 (which they're using on their site) a while ago.

I'm not sure what the web designer was thinking for this, but it doesn't filter any input.. *unless* you include <script> or </script> .. then it filters it all. But my guess is they got too many complaints from people named O'Brien showing up as O\'Brien ..

Heh, here's a funny example of when two filters work against each other. it doesn't filter out ' " > < .. they may need them for their encoded tracking numbers. (the form checks your order status). Instead they filter out all <script* and </script* and go to an error page. That's easy enough to get around with a <body onload=alert()>

The second filter erases all spaces though, since tracking numbers have none. This turns the workaround into <bodyonload=alert()>. That eliminates every other vector i know of. Except, now it bypassed the first filter:
<scr ipt>alert()</scr ipt>
will now execute when spaces are removed ^^

ironically, switching the order of the filters would be an almost effective filter (except for style="bind/expression")

in case symantec and mcafee were lonely https://www.zonelabs.com/store/application?namespace=zls_user&origin=login.jsp&event=button.login&zl_user_name=XSSman%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&destination=global.jsp&zl_user_password=&x=0&y=0